Implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.

What does it mean? Well practically it means that companies and organisations (including the government) who suffer a breech of information must notify the government, and therefore may as well tell the public too, in a certain time-frame. And that failing to do so suffers penalties. It encourages data security, privacy, literacy for cyber threats, and might also change the ways companies think about technical security and privacy more broadly.

Is it perfect? No. Is it better than hoping it does not happen, or trusting that companies might do the right thing anyway? Hell yes. Huzzah!

Nobody likes to be hacked and that’s why it is confusing that people ignore the issues of password strength, reuse, good security practices; … and (maybe) not signing up for every new flashy service that comes at our browsers feeds. Then again, go ahead (sarcasm), your account is probably worth something to the wrong people. My DropBox account was exposed in a security breech a few years ago (which contains 68 million accounts – Sophos blog) – which is why I’m darn glad that I’ve been switching the password every 12 months or so, and also so very glad I’ve subscribed to a hack notification service like HaveIBeenPwned?

To be clear the notice of this hack isn’t new, we knew years ago because DropBox told it’s userbase; and everyone changed their passwords then (didn’t you!). Now is when we can see some of what got out.

You’ve been pwned!

You signed up for notifications when your account was pwned in a data breach and unfortunately, it’s happened. Here’s what’s known about the breach:
Breach: Dropbox

Date of breach: 1 Jul 2012

Number of accounts: 68,648,009

Compromised data: Email addresses, Passwords

Description: In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers. In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords (half of them SHA1, half of them bcrypt).

The message is clear. So this post is a PSA – subscribe to a notification service. Read a few articles on good practices, use some of it, and you’re far less likely to find your stuff being stolen by nefarious mongrels with everything to gain from you.